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Abstract 

A  Zero-Knowledge  PCP  (ZK-PCP)  is  a  randomized  PCP  such  that  the  view  of  any  (perhaps 
cheating)  efficient  verifier  can  be  efficiently  simulated  up  to  small  statistical  distance.  Kilian, 
Petrank,  and  Tardos  (STOC  ’97)  constructed  ZK-PCPs  for  all  languages  in  NEXP.  Ishai, 
Mahmoody,  and  Sahai  (TCC  ’12),  motivated  by  cryptographic  applications,  revisited  the  pos¬ 
sibility  of  efficient  ZK-PCPs  for  all  L  £  NP  where  the  PCP  is  encoded  as  a  polynomial-size 
circuit  that  given  a  query  i  returns  the  ith  symbol  of  the  PCP.  Ishai  et  al.  showed  that  there  is 
no  efficient  ZK-PCP  for  NP  with  a  non-adaptive  verifier,  who  prepares  all  of  its  PCP  queries 
before  seeing  any  answers,  unless  NP  C  coAM  and  polynomial-time  hierarchy  collapses.  The 
question  of  whether  adaptive  verification  can  lead  to  efficient  ZK-PCPs  for  NP  remained  open. 

In  this  work,  we  resolve  this  question  and  show  that  any  language  or  promise  problem 
with  efficient  ZK-PCPs  must  be  in  SZK  (the  class  of  promise  problems  with  a  statistical  zero- 
knowledge  single  prover  proof  system).  Therefore,  no  NP-complete  problem  can  have  an  effi¬ 
cient  ZK-PCP  unless  NP  C  SZK  (which  also  implies  NP  C  coAM  and  the  polynomial-time 
hierarchy  collapses) . 

We  prove  our  result  by  reducing  any  promise  problem  with  an  efficient  ZK-PCP  to  two  in¬ 
stances  of  the  Conditional  Entropy  Approximation  problem  defined  and  studied  by  Vad- 
han  (FOCS’04)  which  is  known  to  be  complete  for  the  class  SZK. 
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1  Introduction 


Since  their  inception,  interactive  proofs  [GMR89,  BM88]  have  had  a  transformative  effect  on  the¬ 
oretical  computer  science  in  general  and  the  foundations  of  cryptography  in  particular.  In  an 
interactive  proof  for  a  language  L,  a  computationally  bounded  randomized  verifier  V  and  an  all- 
powerful  prover  P  are  given  a  common  input  x,  and  P  tries  to  convince  V  that  x  €  L.  The  proof 
must  be  complete:  P  successfully  convinces  V  that  x  G  L;  as  well  as  sound:  no  cheating  prover 
P  should  be  able  to  convince  V  that  x  E  L  when  x  (f  L.  [GMR89]  showed  that  by  allowing  in¬ 
teraction  and  probabilistic  verification,  nontrivial  languages  outside  of  BPP  can  be  proved  while 
the  verifier  statistically  “learns  nothing”  beyond  the  fact  that  x  £  L.  Thus  in  eyes  of  the  verifier, 
the  interaction  remains  “zero-knowledge”.  Shortly  after,  [GMW91]  extend  this  fundamental  result 
to  all  of  NP  based  on  computational  assumptions  and  a  computational  variant  of  the  notion  of 
zero- knowledge. 

The  notion  of  zero- knowledge  is  formalized  using  the  simulation  paradigm:  for  each  (possibly 
cheating)  efficient  verifier,  there  is  an  efficient  simulator  that  generates  a  verifier  view  that  is  in¬ 
distinguishable  from  the  view  the  verifier  would  obtain  by  honestly  interacting  with  the  prover, 
and  therefore  anything  the  verifier  could  do  using  a  transcript  of  his  interaction  with  the  prover, 
he  could  do  by  using  the  simulator  (without  talking  to  the  prover).  Throughout  this  paper  by 
default  we  mean  statistical  indistinguishability  and  statistical  zero  knowledge,  namely  they  must 
hold  against  any  (possibly  computationally  inefficient)  distinguisher.  Any  discussion  about  com¬ 
putational  indistinguishability  will  be  made  explicit. 

Motivated  by  the  goal  of  unconditional  security,  Ben-Or  et  al.  [BGKW88]  showed  that  if  a 
verifier  V  interacts  with  multiple  interactive  provers  (MIPs)  Pi,  P2,  ■  ■ .  who  may  coordinate  on  a 
strategy  beforehand,  but  are  unable  to  communicate  once  the  interaction  with  V  starts,  then  all 
languages  in  NP  can  be  proved  in  a  (statistical)  zero-knowledge  way  without  any  computational 
assumption.  Fortnow,  Rompel,  and  Sipser  [FRS94]  showed  that,  the  MIP  model  is  essentially 
equivalent  to  having  a  (perhaps  exponentially  long)  proof. ,  whose  answers  to  all  possible  queries  are 
fixed  before  interaction  begins  (in  contrast  to  the  usual  notion  of  a  prover,  who  may  choose  to  alter 
his  answers  based  on  the  queries  he  has  seen  so  far).  Such  proof  systems  are  now  known  as  prob¬ 
abilistically  checkable  proofs  (PCPs  for  short)  and  have  found  applications  throughout  theoretical 
computer  science,  notably  in  the  areas  of  hardness  of  approximation  through  the  celebrated  PCP 
theorem  [BFL90,  AS98,  ALM+98]  and  communication-efficient  interactive  proofs  [Kil92], 

The  existence  of  of  ZK  proofs  for  NP  in  the  MIP  model  [BGKW88]  and  the  “equivalence”  of 
MIP  and  PCP  models  (as  a  proof  system)  raised  the  following  basic  question: 

Does  NP  have  PCPs  that  remain  zero -knowledge  against  malicious  verifiers? 

The  work  of  [BGKW88]  does  not  resolve  this  question,  because  their  protocol,  when  implemented  in 
the  PCP  model,  remains  ZK  only  if  cheating  verifiers  follows  the  protocol  honestly.  This  highlights 
an  important  point:  since  we  have  no  control  over  the  cheating  verifier  (except  that  we  assume  it  is 
efficient),  if  the  proof  is  polynomial  size  then  a  cheating  verifier  may  read  the  entire  proof  and  this 
is  not  zero  knowledge.  Therefore,  the  proof  7 r  should  be  super-polynomially  long,  and  we  assume 
that  an  efficient  (perhaps  cheating)  verifier  V  is  only  allowed  black-box  access  to  the  proof.  Since 
V  is  polynomially  bounded,  having  black-box  access  to  such  a  proof  ir  means  that  V  will  be  able 
to  query  only  polynomially  many  symbols  in  the  proof  at  will.  Thus,  by  definition,  ZK-PCPs  are 
incomparable  to  standard  (statistical)  zero  knowledge  proofs  in  the  single  or  multi-prover  proof 
systems:  (1)  the  zero  knowledge  property  is  harder  to  achieve  in  the  PCP  model  because  the  proof 
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is  fixed  and  there  is  no  control  on  which  queries  the  verifier  chooses  to  make,  (2)  but  the  soundness 
property  may  be  easier  to  achieve  in  the  PCP  model  because  the  soundness  is  required  only  against 
fixed  cheating  proofs  (rather  than  cheating  provers  who  may  adaptively  manipulate  their  answers). 

Kilian,  Petrank,  and  Tardos  [KPT97]  were  the  first  to  explicitly  study  the  question  above  and 
(relying  on  the  previous  work  of  [DFK+92]  which  in  turn  relied  on  the  PCP  theorem)  showed  that 
in  fact  every  language  in  NEXP  has  a  ZK-PCP.  Their  ZK-PCPs,  however,  were  not  efficient  even 
when  constructed  for  languages  in  NP,  where  by  an  efficient  PCP  for  L  E  NP,  we  mean  any  PCP 
7T  whose  answer  n  (q)  to  any  query  q  can  be  computed  using  a  polynomial  size  circuit  (which  may 
depend  on  the  common  input  x  E  L,  a  witness  w  that  i£i,  and  an  auxiliary  random  string  tv). 
This  limitation  is  inherent  in  the  approach  of  [KPT97],  since  in  order  to  be  ZK,  their  PCP  requires 
more  entropy  than  the  number  of  queries  made  by  any  cheating  verifier. 

Motivated  by  the  lack  of  progress  for  over  10  years  towards  giving  ZK-PCPs  for  NP  that  are  ZK 
with  respect  to  all  efficient  cheating  verifiers,  Ishai,  Mahmoody,  and  Sahai  [IMS  12]  asked  whether 
this  may  be  inherently  impossible.  Namely,  they  asked  the  following  question,  which  is  also  the 
main  question  studied  in  this  work. 

Main  Question:  Are  there  efficient  ZK-PCPs  for  NP  ? 

Ishai  et  al.  proved  that  any  language  or  promise  problem  L  with  an  efficient  ZK-PCP  where 
the  honest  verifier’s  queries  are  non- adaptive  must  satisfy  L  E  coAM.  Therefore,  NP  does  not 
have  such  efficient  ZK-PCPs  unless  the  polynomial-time  hierarchy  collapses  [BHZ87].  Thus,  the 
main  question  above  remained  open  whether  there  exist  efficient  ZK-PCPs  for  NP  if  we  allow  the 
verifier  to  be  adaptive.  In  this  paper  we  resolve  this  question  in  the  negative;  namely  we  prove: 

Theorem  1.1  (Main  Result).  Any  promise  problem  L  with  an  efficient  ZK-PCP  is  in  SZK. 

This  strengthens  the  negative  result  of  [IMS12]  in  two  ways:  (1)  we  lift  the  restriction  that 
the  verifier  be  non-adaptive,  and  (2)  we  can  conclude  that  L  E  SZK  which  is  stronger  than 
L  E  AM  n  co AM,  since  it  is  known  that  SZK  C  AMCcoAM  [For89,  AH91].  We  emphasize  that 
Theorem  1.1  does  not  assume  that  the  simulation  is  black-box. 

Relation  to  Resettable  Zero-Knowledge.  The  notion  of  resettable  zero-knowledge  single 
prover  proof  systems  introduced  by  Canetti  et  al.  [CGGM00]  is  comparably  stronger  than  the 
notion  of  ZK-PCPs.  Essentially,  a  resettable-ZK  proof  is  a  ZK-PCP  where  soundness  is  required 
to  hold  even  against  adaptive  cheating  provers  who  may  manipulate  their  answers  based  on  the 
queries  they  see  (rather  than  just  fixed  cheating  proofs).  Canetti  et  al.  [CGGM00]  showed  how 
to  obtain  efficient  PCPs  that  are  computational  zero-knowledge  based  on  computational  hardness 
assumptions.  But  recall  that  in  this  work,  the  notion  of  ZK  is  statistical,  and  so  their  result  does 
not  resolve  our  main  question. 

Recently,  Garg  et  al.  [GOVW12]  showed  that  efficient  resettable  statistical  ZK  proof  systems 
exist  for  non-trivial  languages  (e.g.  Quadratic  Residuosity)  based  on  computational  assumptions. 
Therefore  under  the  same  assumptions,  these  languages  also  possess  efficient  ZK-PCPs.  Garg 
et  al.  also  showed  that  assuming  the  existence  of  exponentially  hard  one-way  functions,  statistical 
zero-knowledge  proof  systems  can  be  made  resettable.  Unfortunately  this  transformation  does  not 
preserve  the  efficiency  of  the  prover.  Therefore,  even  though  by  the  works  of  Micciancio,  Ong, 
and  Vadhan  [MV03,OV08]  we  know  that  SZKflNP  has  statistical  zero-knowledge  proofs  with  an 
efficient  prover,  the  result  of  [GOVW12]  does  not  necessarily  preserve  this  efficiency. 
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Finally  note  that  if  one  can  transform  any  statistical  ZK  proof  into  a  resettable  statistical  ZK 
proof  without  losing  the  efficiency  of  the  prover,  then  together  with  our  main  result  of  Theorem 
1.1  this  would  imply  that  the  problems  with  efficient  ZK-PCPs  are  exactly  those  in  SZK  n  NP. 

Relation  to  Basing  Cryptography  on  Tamper-Proof  Hardware.  A  main  motivation  of 
[IMS  12]  to  study  the  possibility  of  efficient  ZK-PCPs  for  NP  comes  from  a  recent  line  of  work  on 
basing  cryptography  on  tamper-proof  hardware  ( e.g .  [Kat07,MS08,CGS08,GKR08,GIS+10,Koll0, 
GIMS10]).  In  this  model,  the  parties  can  exchange  classical  bits  as  well  as  hardware  tokens  that 
hide  a  stateful  or  stateless  efficient  algorithm.  The  receiver  of  a  hardware  token  is  only  able  to 
use  it  as  a  black-box  and  call  it  polynomially  many  inputs.  Using  stateless  hardware  tokens  makes 
the  protocol  secure  against  “resetting”  attacks  where  the  receiver  of  a  token  is  able  to  reset  the 
state  of  the  token  (say,  by  cutting  its  power).  The  work  of  Goyal  et  al.  [GIMS10]  focused  on  the 
power  and  limits  of  stateless  tamper-proof  hardware  tokens  in  achieving  statistical  security  and 
proved  that  statistical  zero-knowledge  for  all  of  NP  is  possible  using  a  single  stateless  token  sent 
from  the  prover  to  the  verifier  followed  by  0(1)  rounds  of  classical  interaction.  A  natural  question 
remaining  open  after  the  work  of  [GIMS10]  was  whether  the  classical  interaction  can  be  eliminated 
and  achieve  statistical  ZK  for  NP  using  only  a  single  stateless  token.  It  is  easy  to  see  that  this 
question  is  in  fact  equivalent  to  our  main  question  above,  and  thus  our  Theorem  1.1  proves  that  a 
single  (efficient)  stateless  token  is  not  sufficient  for  achieving  statistical  ZK  proofs  for  NP. 

2  Our  Techniques 

In  this  section  we  describe  the  ideas  and  techniques  behind  the  proof  of  Theorem  1.1  and  compare 
our  approach  to  that  of  [IMS12].  If  L  has  a  ZK-PCP  (for  now,  let  us  assume  for  notational  simplicity 
that  L  is  a  language;  the  idea  is  identical  for  general  promise  problems),  one  naive  approach  to 
decide  L  using  its  simulator  is  to  run  the  simulator  to  obtain  a  view  is  =  (r,  (qi,a±), . . . ,  ( qm ,  am )), 
where  r  is  the  random  seed  of  the  verifier  and  the  (qi,at)  are  queries/answers  to  the  ZK-PCP,  and 
accept  iff  is  is  an  accepting  view.  This  approach  would  obtain  accepting  views  if  x  G  L  due  to  the 
zero- knowledge  property,  but  there  is  no  guarantee  about  the  case  x  0  L. 

A  more  promising  approach  is  to  “extract”  a  PCP  i f  from  the  simulator  Sim  and  run  V  against 
7 f.  Using  this  approach,  due  to  the  soundness  of  the  PCP  we  would  obtain  a  rejecting  view  if 
x  0  L,  but  the  issue  shifts  to  the  case  i£l  and  ensuring  that  the  extracted  PCP  is  a  valid  proof 
on  YES  instances.  Therefore,  a  goal  could  be  trying  to  construct  7r  in  a  way  that  it  is  “close”  to 
an  accepting  PCP  7r  •<—  TvXtW  whenever  x  £  L. 

To  see  at  a  high  level  why  this  may  be  possible  for  efficient  ZK-PCP’s,  let  irx,w  denote  the 
true  distribution  of  proofs  on  an  instance  x  E  L.  Since  the  ZK-PCP  is  efficient,  each  proof  7vXjV 
is  computable  by  some  circuit  of  polynomial  size;  let  r](n)  =  poly(n)  be  the  number  of  bits  it 
takes  to  describe  this  circuit.  If  we  look  at  the  whole  description  of  tvx^w  as  a  random  variable,  its 
entropy  ^l(Tvx^y)  can  be  at  most  rj.  Now  consider  V^l,  which  is  the  cheating  verifier  that  executes 
i  independent  copies  of  V,  all  of  them  accessing  the  same  proof  n  7rX!W.  Let  (is1, . . . ,  ir)  be  the 
views  generated.  Since  11(77^,^)  <  r),  if  we  pick  i  [£]  then  the  average  entropy  in  the  answers 
returned  to  the  ith  verification  is1  conditioned  on  the  views  of  the  first  i  —  1  verifications  is1,.. . , 
is  at  most  g/i,  which  can  be  made  less  than  any  arbitrarily  small  polynomial  by  increasing  t. 
Therefore,  we  will  use  the  simulator  for  to  generate  views  (is1, . . . ,  z/),  pick  i  [l]  and  look 

at  is1  conditioned  on  (is1, . . . ,  is 4-1 ).  The  extracted  proof  It  is  defined  based  on  how  the  queries  are 
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answered  in  v% .  On  YES  instances  if  should  have  low  entropy  and  therefore  behave  like  a  fixed 
accepting  proof  (because  of  the  statistical  indistinguishability  of  the  simulation).  On  NO  instances, 
vf  either  behaves  like  a  fixed  proof  and  therefore  is  rejecting  (because  of  soundness),  or  behaves 
very  different  from  a  fixed  proof  (which  we  will  be  able  to  detect). 

This  was  the  approach  used  in  [IMS12]:  they  give  an  AM  (i.e.  constant-round  public-coin) 
protocol  that  allows  an  efficient  verifier  to  extract  n  using  the  help  of  an  unbounded  prover.  We 
also  extract  a  POP  n  from  the  simulator,  but  our  extracted  POP  is  defined  differently  from  the 
one  in  [IMS  12]  and  this  difference  allows  us  to  also  use  it  differently:  we  do  not  use  the  prover  to 
help  us  construct  the  extracted  PCP  in  the  SZK  protocol  we  give  for  L,  but  rather  we  use  if  only 
in  the  analysis  to  show  that  the  SZK  protocol  we  give  is  correct. 

2.1  The  Approach  of  [IMS12] 

Let  Sim  be  the  simulator  for  V  ^ .  Roughly  speaking,  [IMS12]  defines  the  PCP  if  based  on  the 
simulator  as  follows. 

if  (g)  •(—  (a)  |  a’)  answer  to  query  q\  =  q  in  Sim(x)  conditioned  on  r1,...,  z/_1  being  first  i  —  1  views) 

In  other  words,  we  first  sample  i  4—  [£]  and  generate  views  is1, ... ,  is1-1  according  to  the  simulator. 
Then  to  answer  any  query  q ,  we  run  Sim(x)  conditioned  on  getting  q  as  the  first  query  of  the  zth 
execution,  then  we  output  the  answer  Sim(x)  gives  to  q.  It  may  not  be  possible  to  sample  if (q) 
efficiently,  but  [IMS12]  show  how  to  sample  if  through  an  AM  protocol,  using  the  following  ideas. 

Simulating  if  with  Help  of  a  Prover.  Using  old  and  new  constant-round  sampling  and  lower- 
bound  protocols  [GS89,  For89,  AH91,  GVW01,  HMX10]  Ishai  et  al.  show  an  AM  protocol  using 
an  unbounded  (but  also  untrusted )  prover  so  that  if  the  prover  is  honest  we  get  a  simulation  of 
the  oracle  if,  and  if  he  cheats  then  the  verifier  catches  him.  Essentially,  in  the  AM  protocol, 
Arthur  uses  Merlin  to  help  repeatedly  rewind  the  simulator  back  to  the  first  query.  This  way,  we 
obtain  that  L  and  its  complement  are  both  in  AM.  This  approach  of  [IMS12]  is  inspired  by  works 
of  [FF93,  BT06,  AGGM06]  in  the  context  of  studing  worst-case  to  average-case  reductions  in  NP 
where  an  unbounded  prover  (Merlin)  is  forced  to  simulate  a  (hard  to  compute)  oracle. 

Relying  on  Nonadaptivity  of  V.  Note  that  if  the  distribution  of  the  first  and  second  queries 
are  statistically  far,  then  by  asking  some  second  query  q2  from  the  oracle  if  we  might  simply  get  no 
answer  because  it  is  possible  that  Sim(x)  never  generates  q2  as  the  first  query.  But  if  the  honest 
verifier  V  is  nonadaptive,  w.l.o.g.  we  can  assume  that  it  randomly  permutes  its  queries  before 
asking  them  and  therefore  the  marginal  distribution  of  all  queries  will  be  identical  (though  perhaps 
correlated).  [IMS12]  show  that  if  the  PCP  ff  (as  a  random  variable)  has  very  low  entropy,  then  this 
implies  that  the  view  of  V7r(.x)  is  close  to  a  simulator-generated  view,  and  so  on  YES  instances  by 
statistical  closeness  of  the  simulator  and  an  honest  interaction,  \Z7r^x>  is  accepting.  On  the  other 
hand,  since  the  proof  tt  is  generated  independently  of  the  final  verfication’s  queries,  it  holds  on  NO 
instances  that  V7r(x)  is  rejecting  because  of  the  soundness  of  the  ZK-PCP. 

2.2  Our  Approach 

We  use  the  same  cheating  verifier  and  its  corresponding  simulator  Sim,  but  our  extracted  PCP 
if  is  defined  without  rewinding  the  simulator  back  to  the  first  query.  Roughly  speaking,  our  oracle 
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is  defined  as: 


aj  is  the  answer  to  the  jth  query  q  =  qj  for  a  random  j 
in  Sim(x)  conditioned  onr1,...,  z/— 1  first  i  —  1  views 

Notice  that  n  is  defined  without  rewinding  back  to  the  first  query,  and  so  we  do  not  require 
the  queries  to  have  the  same  distribution  and  thus  we  do  not  need  to  assume  the  verifier  to  be 
nonadaptive.  Furthermore,  the  way  we  use  n  differs  from  [IMS  12]  because  we  do  not  construct  if 
in  our  SZK  protocol,  but  only  use  its  definition  in  the  analysis  of  our  reduction  to  SZK. 

To  obtain  an  SZK  protocol  for  L,  we  give  a  Karp  (many-to-one)  reduction  from  L  to  a  problem 
in  SZK.  More  formally,  using  the  simulator,  we  map  each  x  to  three  circuits  (Ci,  C2,  C3)  such  that 
we  will  be  able  to  verify  certain  statistical  properties  about  them  in  SZK  (the  reduction  is  given 
in  Reduction  4.2).  Essentially,  for  j  E  {1,2,3},  Cj  runs  the  simulator  for  the  cheating  verifier  V  ^ 
on  input  x  to  obtain  views  (zA, . . . ,  1/).  Given  these  executions,  Cj  picks  a  random  execution  i  and 
verifies  some  statistical  properties  about  ith  execution  conditioned  on  the  first  (i  —  1)  executions. 

Here,  we  just  describe  the  properties  that  each  circuit  checks  at  a  high  level,  and  we  defer  the 
formal  discussions  to  Section  4.  All  of  the  following  are  conditioned  on  the  first  i  —  1  views. 

1.  C\  checks  that  the  simulated  randomness  of  V  in  the  ith  execution  is  close  to  uniform. 

2.  C2  checks  that,  sampling  a  random  set  of  queries  and  answers  for  the  ith  execution  and  picking 
one  query/answer  pair  at  random,  that  answer  has  low  entropy  given  the  that  query. 

3.  C3  checks  that  the  zth  execution  is  accepting. 

First  we  argue  that  the  reduction  maps  YES  instances  of  L  to  (Ci,  C2,  C3)  satisfying  all  three 
properties,  and  NO  instances  to  circuits  not  satisfying  all  three  properties. 

•  (x  E  L).  Since  the  simulator’s  output  is  statistically  close  to  the  honest  distribution,  so  the 
simulated  verifier’s  random  coins  are  also  close  to  uniform,  and  the  first  property  is  satisfied. 
Also,  since  the  PCP  is  efficient  and  thus  has  entropy  at  most  q  =  poly(n),  it  means  the 
average  conditioned  entropy  of  the  answers  to  queries  in  the  ith  verification  is  at  most  rj/£ 
which  we  set  to  be  small,  so  the  second  property  is  also  satisfied.  (Actually,  assuming  that  in 
the  ith  execution  the  entire  set  of  answers  has  low  entropy  given  the  entire  set  of  queries,  it 
is  non-trivial  to  show  that  a  random  answer  has  low  entropy  given  its  corresponding  query, 
because  the  queries  may  be  adaptive  and  a  random  query  might  indirectly  reveal  information 
about  other  queries  and  answers.  Despite  that,  in  Lemma  4.4  we  prove  this  claim  even  for 
adaptive  verifiers.)  Finally,  for  a  YES  instance  the  simulator  produces  accepting  views  with 
high  probability,  so  the  third  property  is  also  satisfied.  This  is  proved  in  Section  4.1. 

•  (x  $  L).  It  suffices  to  show  that  if  {C\,C2,Cz)  satisfy  the  first  two  properties,  then  they  do 
not  satisfy  the  third.  If  the  verifier  coins  in  the  simulator’s  output  are  close  to  uniform  and 
there  is  low  entropy  in  the  query-answer  pairs,  then  we  can  show  that  the  view  output  by 
the  simulator  in  the  ith  execution  is  statistically  close  to  V*  executing  against  the  oracle  tv 
defined  above.  Therefore,  the  verifier  must  reject  in  V'  because  of  the  soundness  property  of 
the  ZK-PCP.  This  is  proved  in  Section  4.2. 

Finally,  we  note  that  the  desired  properties  of  the  circuits  C\,  C2  can  be  verified  in  SZK  by  two 
reductions  to  the  problem  of  Conditional  Entropy  Approximation  (see  Definition  3.8)  which 
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is  known  to  be  SZK-complete  [Vad06],  while  C3  can  be  verified  in  BPP  C  SZK.  Since  SZK  is 
closed  under  conjunction,  disjunction,  and  complement  (Lemma  3.6,  see  also  [Vad99]),  all  three 
properties  can  simultaneously  be  verified  in  SZK. 

3  Preliminaries 

Basic  Terminology  and  Notation.  We  use  bold  letters  to  denote  random  variables  ( e.g .  X  or 
x).  By  xexwe  mean  that  2  is  sampled  according  to  the  distribution  of  the  random  variable  x. 
We  write  Ex[-]  to  denote  Ex<_x[-],  where  any  x  appearing  inside  the  expression  in  the  expectation 
is  fixed.  For  any  finite  set  S,  x  <—  S  denotes  x  sampled  uniformly  from  S.  U„  denotes  the 
uniform  distribution  over  {0,  l}n,  and  [n]  denotes  the  set  {1,2,  ...,n}.  For  jointly  distributed 
random  variables  (x,  y),  and  for  a  specific  value  y  <—  y,  by  (x  |  y )  we  mean  the  random  variable 
x  conditioned  on  y  =  y.  When  we  say  an  event  occurs  with  negligible  probability  denoted  by 
negl(n),  we  mean  it  occurs  with  probability  We  call  two  random  variables  x,  y  (or  their 

corresponding  distributions)  over  the  support  set  S  e-close  if  their  statistical  distance  A(x,  y)  = 
2  '  SseS  |Pr[x  =  s]  —  Pr[y  =  s]|  is  at  most  e.  By  an  ensemble  (of  random  variables)  {yxfx^z  we 
denote  a  set  of  random  variables  indexed  by  a  set  X.  We  call  two  ensembles  {y x}x£i  and  {zxjx€j 
with  the  same  index  set  statistically  close  if  A(yx,zx)  =  negl(|x|).  We  use  the  terms  efficient  and 
PPT  to  refer  to  any  probabilistic  polynomial  time  (perhaps  oracle-aided)  algorithm.  For  an  oracle 
7T  and  an  (oracle-aided)  algorithm  V  by  V71"  we  refer  to  an  execution  of  V  given  access  to  n  and 
by  View(V7r)  we  refer  to  the  view  of  V  in  its  execution  given  it  which  consists  of  its  randomness 
r  and  the  sequence  of  its  oracle  query-answer  pairs  [(gi,  aq),  (<72 j  ^2),  ■  ■  ■  ]  (having  only  the  oracle 
answers  and  r  is  sufficient  to  know  View(V7T)).  All  logarithms  are  base  2.  By  H(X)  we  denote 
the  Shannon  entropy  of  X  defined  as  H(X)  =  Ey  lg' ( 1  /  Pr[X  =  2]).  By  H(X  |  Y),  we  denote 
the  conditional  entropy  as  Ey  [H(X  |  Y)],  and  we  note  the  conditional  mutual  information  as 
I(X;  Y  |  Z)  =  H(X  |  Z)  -  (X  |  YZ). 

3.1  Promise  Problems 

A  language  L  is  simply  a  partition  of  {0, 1}*  into  L Y  and  XN  (he.  LYULN  =  {0, 1}*  and  XYnXN  = 
0). 

A  promise  language  (or  problem)  L  =  (XY,XN)  generalizes  the  notion  of  a  language  by  only 

requiring  that  LY  n  XN  =  0  (but  there  could  be  some  x  6  {0,1}*  \  ( L ^  U  XN)).  For  promise 

problems,  we  will  sometimes  use  x  £  L  to  denote 

Definition  3.1  (Operations  on  Promise  Languages).  We  define  the  following  three  operations  over 
promise  languages. 

•  The  complement  L  =  (x\lN)  of  a  promise  language  L  =  (XY,XN)  is  another  promise 
language  such  that  L  =  LN  and  L  =  LY . 

•  For  two  promise  languages  L\  and  L2  we  define  their  conjunction  L  =  L\  A  L2  as: 

—  x  =  (21,22)  G  Lf  iff  21  €  L\  and  22  G  LY , 

—  x  =  (21, 22)  G  XN  iff  21  £  Lf  or  22  £  L 2  . 

•  For  two  promise  languages  Li  and  L2  we  define  their  disjunction  L  =  L\\!  L2  as: 
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—  x  =  (xi,  X2)  £  Lf  iff  x\  £  L\  or  X2  £  Lj, 

—  x  =  (xi,  X2)  £  Ln  iff  X]  £  and  X2  £ 

It  is  easy  to  see  that  L\  V  L2  =  L\  A  L\. 

Definition  3.2  (Karp  Reduction).  A  Karp  reduction  R  from  a  promise  problem  L\  to  another 
promise  problem  L2  is  a  deterministic  efficient  algorithm  such  that  R(x)  £  Lj  for  every  x’  £  Lj 
and  R(x)  £  for  every  x  £  L±  . 

3.2  Interactive  Proof  Systems 

Definition  3.3  (PCPs).  A  (randomized)  probabilistically  checkable  proof  (PCP  for  short)  II  = 
({7rxgi})  V)  for  a  promise  problem  L  consists  of  an  ensemble  of  random  variables  {ttx}  for  x  £  L 
whose  values  are  oracles  (also  called  proofs )  and  also  a  verifier  V  which  is  an  oracle-aided  PPT 
with  randomness  r.  We  require  the  following  properties  to  hold. 

•  Completeness:  For  every  x  £  if  and  every  n  £  Supp(7rx)  it  holds  that  Prr  [V/  (x)  =  1]  >  2/3- 

•  Soundness:  If  x  £  LN ,  then  for  every  oracle  n  it  holds  that  Prr[V/(x)  =  0]  >  2/3. 

If  the  PCP  also  receives  an  auxiliary  input  vj,  the  distribution  of  the  oracles  might  depend  on  x 
and  w  both,  denoted  as:  {- kx,w }.  We  call  a  PCP  for  problem  L  £  NP  efficient ,  if  for  all  x  £  L  and 
witnesses  w  for  x  £  L ,  and  all  x  £  Supp^^^),  there  exists  a  poly(n)-sized  circuit  CV  such  that  for 
all  queries  q,  Cn(q)  =  it (q).  Namely,  Cn  encodes  7 r. 

Notice  that  this  definition  of  efficiency  is  non-uniform:  the  distribution  of  proofs  CV  may  depend 
non-uniformly  on  x,  vj.  This  makes  our  results  stronger  than  if  we  required  Cn  to  depend  uniformly 
on  x,w,  since  we  are  proving  a  negative  result. 

Definition  3.4.  Let  II  =  ({ttX£l,w},  V)  be  a  PCP  for  the  problem  L  with  some  auxiliary  input 
given  to  the  oracle.  II  is  called  zero-knowledge  (ZK)  if  for  every  malicious  poly(n)-time  verifier  V, 
there  exists  a  simulator  Sim  which  runs  in  (expected)  poly(n)-time  and  the  following  ensembles 
are  statistically  close: 

{SiM(x)}xeL  ,  {View(V7I’j:''1" (x))}X£l- 

Note  that  V  only  has  oracle  access  to  ttx.w.  the  auxiliary  input  is  not  given  to  the  simulator  and  the 
statistical  indistinguishability  should  hold  for  large  enough  x  (regardless  of  the  witness  w).  We  call 
II  perfect  ZK  if  the  simulator  distribution  conditioned  on  not  aborting  is  identically  distributed  to 
the  honest  interaction. 

Since  we  do  not  need  the  exact  definition  of  the  class  SZK,  here  we  only  describe  it  at  a  high 
level.  The  definition  of  SZK  is  indeed  very  similar  to  Definition  3.4  with  the  difference  that  the 
soundness  holds  against  provers  (which  can  be  thought  of  as  stateful  oracles  who  could  answer  new 
queries  depending  on  the  previous  queries  asked.) 

Definition  3.5  (Complexity  Class  SZK).  The  class  SZK  consists  of  promise  problems  which  have 
an  interactive  proof  system  with  soundness  error  <1/3  and  the  view  of  any  malicious  verifier  can 
be  simulated  up  to  negl(n)  statistical  error. 
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Lemma  3.6.  For  a  constant  k,  let  Li, ... ,  Lj.  be  a  set  of  promise  languages  all  in  SZK.  and  let  F 
be  a  constant-size  k-input  formula  with  operations:  complement,  conjunction,  and  disjunction  as 
in  Definition  3.1.  Then  F(L\, . . .  ,Lk)  G  SZK. 

Here  we  give  a  sketch  of  the  proof  for  completeness.  (See  Section  4.5  and  Corollary  6.5.1 
of  [Vad99]  for  a  more  general  and  improved  statement  than  that  of  Lemma  3.6.) 

Proof  Sketch.  We  will  use  the  following: 

Theorem  3.7  (  [Oka96]).  The  class  SZK  is  closed  under  complement. 

Since  k  is  constant,  we  just  need  to  prove  the  claim  for  formulas  which  have  only  a  single 
operation,  and  then  the  lemma  follows  by  an  induction.  Moreover  since  L\\l  =  L\/\L\,  we 
just  need  to  prove  the  claim  for  complement  and  conjunction  operations.  Theorem  3.7  proves  this 
for  the  complement.  To  obtain  L\  A  £  SZK,  given  the  input  (x\,X2),  the  prover  provides  an 
(interactive)  SZK  proof  that  x\  G  Lj  and  then  (if  the  first  interaction  is  accepted),  he  also  provides 
a  SZK  proof  that  X2  £  L% .  (More  formally,  the  prover  and  the  verifier  start  with  an  amplified 
version  of  the  original  protocols  with  soundness  error  <1/6,  the  soundness  error  of  the  sequential 
composition  in  this  case  remains  <  1/3).  On  the  other  hand,  if  either  of  x\  G  L^,x 2  £  holds, 
the  corresponding  interaction  rejects  with  probability  at  leat  2/3.  □ 

3.3  Shannon  Entropy  and  Related  Computational  Problems 

Definition  3.8  (Conditional  Entropy  Approximation).  The  promise  problem  CEAe  is  de¬ 
fined  as  follows.  Suppose  C  is  a  poly(n)-size  circuit  sampling  a  joint  distribution  (X,Y).  Then 
given  (C,  r)  we  have: 

•  (X,  Y,  r )  £  CEA^  if  H(X  |  Y )>r. 

•  (X,  Y,  r)  G  CEAf  if  H(X  |  Y)  <  r  -  e. 

Lemma  3.9.  For  any  e  >  1/ poly(n),  CEAe  G  SZK. 

Proof.  We  give  a  reduction  from  CEAe  to  CEA,  which  is  known  to  be  SZK-complete  [Vad06].  The 
reduction  maps 

(X,  Y,  r)  ^  ((X1, . . . ,  X1^),  (Y1, . . . ,  Y1/£),r/e) 

where  for  every  i  G  [1/e],  (X^,X|)  is  sampled  identically  to  (X,  Y)  and  independently  of  all  other 
components  ( i.e .  by  an  independent  copy  of  the  circuit  C).  It  is  easy  to  see  that 

H((Y\  . . . ,  Y1//e)  |  (X1, ... ,  X1/-))  =  i  •  H(Y  |  X). 


□ 


In  our  main  reduction,  we  will  reduce  problems  to  the  following  problem  in  SZK: 

Definition  3.10  (Conditional  Entropy  Bound).  CEBq,^  is  the  following  promise  problem 
where  inputs  are  poly(n)-size  circuits  C  sampling  a  joint  distribution  (X,  Y): 

1.  (X,  Y)  G  CEB^  if  H(X  I  Y)  >  a. 
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2.  (X,  Y)  e  CEB^  if  H(X  |  Y)  <  /?. 

The  following  is  immediate  from  Lemma  3.9: 

Lemma  3.11.  For  all  a  —  /3  >  1/ poly(n),  CEBQjia  E  SZK. 

3.4  Useful  Facts  and  Lemmas 

Fact  3.12  (Basic  Facts  about  Entropy).  The  following  hold  for  any  random  variables  X,  Y,  Z; 

1.  H(X  |  Y)  <  H(X). 

2.  I(X;  Y  |  Z)  =  H(X  |  Z)  -  H(X  |  YZ)  =  H(Y  |  Z)  -  H(Y  |  XZ)  >  0 

3.  Data  processing  inequality:  for  any  randomized  function  F  ( whose  randomness  is  independent 
of  X,  Y,  Z ),  it  holds  that  I(F(X);  Y  |  Z)  <  I(X;Y  |  Z). 

In  the  following,  define  for  e  £  [0, 1]  the  value  H(e)  =  elg(Ve)  +  (1  —  e)  lg(Vi-e). 

Lemma  3.13  (Bounding  Statistical  Distance  from  Conditional  Entropy).  If  Supp(X)  =  {0,  l}n 
then  Ey^_Y  A(X  |  Y,  Un)  <  y/n  -  H(X  |  Y). 

Proof.  We  use  the  following  definition. 

Definition  3.14  (Kullback-Leibler  Divergence).  For  random  variables  X,  Y  such  that  Supp(X)  C 
Supp(Y),  the  Kullback-Leibler  divergence  is  defined  as  KL(X,  Y)  =  Ex  lg(pr[Y=  v]  )• 

It  can  be  verified  by  straightforward  calculation  that  H(X)  =  n  —  KL(X,  Un). 

Pinsker’s  inequality  states  that  for  any  random  variables  x,  y,  it  holds  that  A(x,  y)  <  y/KL(x,  y). 
Applying  Pinsker’s  inequality  to  (X  |  Y )  and  Un  for  every  fixed  value  of  Y  •(—  Y  and  using  Jensen’s 
inequality,  we  have: 

E  A(X  I  Y,  Un)  <  E  Un  -  H(X  I  Y)]  <  J  E  [n  -  H(X  I  Y)]  =  Jn-  H(X  I  Y) 

Y<-Y  Y<r- Y  '  J  V  ^  v  1  ' 


□ 

Lemma  3.15  (Bounding  Conditional  Entropy  from  Statistical  Distance).  Suppose  A((X,  Y),  (X7,  Y7))  < 
e  and  Supp(X)  U  Supp(X')  C  {0,  l}n.  Then  it  holds  that  \  H(X  |  Y)  —  H(X/  |  Y')|  <  4(H(e)  +  e  ■  n). 

To  prove  this  lemma,  we  need  the  following: 

Lemma  3.16.  Suppose  A((X,  Y),  (X7,  Y7))  <  e  and  let  Z  =  (X",Y)  be  a  random  variable  dis¬ 
tributed  as  follows.  The  component  Y  <—  Y  is  sampled,  and  then  X"  conditioned  on  Y  is  distributed 
similar  to  (X^Y7  =  Y).  Then  it  holds  that  A((X,  Y),Z)  <  2e. 

Proof.  It  is  sufficient  to  show  that  A((X;  ,Y'),Z)<e,  which  is  true  because  the  second  components 
have  statistical  distance  at  most  e  and  the  first  components  have  statistical  distance  zero  conditioned 
on  the  second  components  being  equal.  □ 
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Proof  of  3.15.  We  first  prove  the  lemma  for  the  case  that  Y,  Y7  do  not  exist  {i.e.  A(X,  X7)  <  e). 
It  is  well  known  that  in  this  case  there  is  a  random  variable  X  which  has  a  measure  of  1  —  e  in  both 
of  X  and  X7.  Namely,  one  can  think  of  a  Boolean  random  variable  b  jointly  distributed  with  X,  X7 
such  that  Pr[b  =  0]  =  e  and  (X  |  b  =  1)  =  X  =  (X7  |  b  =  1).  Based  on  this  “decomposition”  we 
get:  __ 

H(X)  >  H(X  |  b)  >  (1  -  e)  H(X  |  b  =  1)  =  (1  -  e)  H(X). 

On  the  other  hand  it  holds  that 

H(X)  <  H(b)  +  H(X  |  b)  =  H(e)  +  e  H(X  |  b  =  0)  +  (1  -  e)  ■  H(X  |  b  =  1)  <  H(e)  +  en  +  (l-e)H(X). 

Namely,  both  of  H(X),H(X7)  are  lower-bounded  by  (1  —  e)  H(X)  an  upper-bounded  by  H(e)  + 
en  +  (1  -  e)  H(X),  and  therefore  |  H(X)  -  H(X7)|  <  H(e)  +  en. 

Now,  using  the  result  above,  we  prove  the  conditional  case  through  a  hybrid  argument.  Given 
the  two  pairs  of  random  variables  (X,  Y),  (X7,  Y7)  define  the  hybrid  random  variable  Z  =  (X77,  Y) 
as  defined  in  the  statement  of  Lemma  3.16.  We  claim  that 

1.  |  H(X"  |  Y)  -  H(X  |  Y) |  <  2(H(e)  +  en),  and 

2.  |  H(X"  |  Y)  -  H(X7  |  Y')|  <  2en. 

Using  these  two  bounds,  Lemma  3.15  follows  by  a  triangle  inequality. 

We  obtain  the  first  bound  as  follows. 


H(X"  |  Y)  -  H(X  |  Y)|  <  [|  H(X"  |  Y)  -  H(X  |  Y)|] 


Y<r~  Y 

<  E  [H(A(X77  |  Y,  X  |  Y))  +  A(X"  |  Y,  X  |  Y)  •  n] 

(by  concavity  of  Entropy)  <  H  [A(X77  |  Y,  X  |  Y)]  )  +  E  [A(X77  |  Y,  X  |  Y)]  ■  n 

(by  Lemma  3.16)  <  H(2e)  +  (2e)  •  n 
(by  concavity  of  Entropy)  <  2(H(e)  +  e  •  n). 


To  obtain  the  second  bound  we  do  as  follows. 


H(X" 


Y)  -  H(X7  |  Y7)|  = 


< 


E  (H(X7  I  Y7  =  Y)1  -  E  lH(X7  I  Y7  =  Y)1 

Y < — Y  L  1  J  Y 4-Y'  L  1 

(Pr[Y  =  Y]  -  Pr[Y7  =  y])  ■  H(X7  |  Y7  =  Y) 

yeSupp(Y)uSupp(Y') 

Y  |Pr[Y  =  Y]  -  Pr[Y7  =  y]  \  ■  n 


Y  SSupp(Y)USupp(Y') 


<  2A(Y,  Y7)  •  n 


□ 
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4  Proving  the  Main  Result 

Theorem  4.1.  Suppose  the  promise  problem  L  =  (. L }  ,LN)  has  a  ZK-PCP  II  =  ({irxex,|lt;},  V)  of 
entropy  at  most  H (tvX}W)  <  poly(|a:|).  Then  L  E  SZK. 

(Note  that  the  theorem  extends  beyond  efficient  ZK-PCP’s  and  encompasses  all  ZK-PCP’s 
where  proofs  have  low  entropy.)  In  the  rest  of  this  section  we  prove  Theorem  4.1.  Fix  an  efficient 
ZK-PCP  for  L.  Efficiency  means  there  exists  rj  =  poly(n)  such  that  every  possible  honest  proof  it 
can  be  encoded  by  a  circuit  with  binary  description  size  at  most  g.  This  implies  that  for  all  x  E  L 
with  witness  w,  if  we  let  ttX)W  be  the  distribution  of  proofs  defined  by  the  ZK-PCP,  it  holds  that 
H(7rXjW)  <  rj. 

Let  VM  =  (V1,...,^)  be  a  verifier  who  executes  £  independent  instances  of  V  against  the 
given  oracle  and  let  V*  be  its  verification.  (We  will  fix  a  choice  of  l  =  poly(n)  later.)  Let  Sim 
be  the  simulator  that  simulates  the  view  of  V  ^  statistically  well  ( i.e .  Sim(x)  is  negl(|x|)-close  to 
the  view  of  V  ^  (x)  when  accessing  nx  ttx.w  for  x  E  L).  The  view  of  V*  can  be  represented  as 
is1  =  (r®,  q\,  a\, . . . ,  qlm,  alm)  where  r®  E  {0,1  }fc  is  the  randomness  used  by  V®,  ql-  is  its  jth  oracle 
query  and  o®-  is  the  answer  to  q1-.  We  use  the  notation  a*  =  (a\, . . . ,  alm),ql  =  (q\, . . . ,  qlm).  The 
view  of  consists  of  (is1, . . . ,  v^). 

In  order  to  prove  L  E  SZK,  we  show  how  to  reduce  I  to  a  constant  size  formula  over  SZK 
languages.  Roundly  speaking,  our  reduction  reduces  L  to  CEB  A  CEB  A  D  (see  Definition  3.1) 
where  D  E  BPP  C  SZK  which  makes  CEB  A  CEB  A  D  £  SZK  (see  Lemma  3.6).  To  describe  our 
reduction  formally  we  first  need  to  define  a  circuit  C®IM  and  a  promise  problem  Da ^  as  follows. 

•  The  circuit  C®IM  takes  as  input  rSIM  (for  input  length  |x|).  The  circuit  Cx  outputs  Sim(.t;  rSiM)  = 
(is1, . . .  ,is£)  where  for  each  i  E  [£],  is1  =  (r®,  q\,  a\, . . . ,  qlm,  alm). 

•  For  a  >  (3,  Da $  is  a  promise  problem  whose  inputs  are  Boolean  circuits  C.  Suppose  the 
input  length  of  C  is  n,  then: 

1.  C  E  Dl3  iff  Pr[C(Un)  =  1]  >  a],  and 

2.  C  E  Dig  iff  Pr[C'(Un)  =  1]  <  /?]. 

It  is  easy  to  see  that  for  a  —  j3  >  1/  poly(ra),  Da  p  E  BPP. 

Reduction  4.2  (Main  Reduction).  Given  a  parameter  £,  we  map  x  e->-  (C'i,C,2,C3)  as  follows. 

1.  Ci  is  a  circuit  sampling  the  joint  distribution  (Xi,  Yi)  defined  as  follows.  On  input  (rsm,i), 
C\  executes  the  circuit  C®IM  on  a  random  rSIM  to  get  (is1, . . . ,  is1)  <—  Cx1M(rsl M)  and  sets: 

Xi  =ri  and  Yx  =  (is1 , . . .  ,ni~1). 

2.  C'2  is  a  circuit  sampling  the  joint  distribution  (X2,  Y2)  defined  as  follows.  On  input  (rsm,i,j), 
C2  executes  the  circuit  C®IM  on  a  random  rSiM  to  get  (is1, . . . ,  is1)  •<—  C®IM(rgiM)  and  sets: 

X2  =  alj  and  Y2  =  (is1, ...,  is1-1,  g®). 

We  emphasize  the  fact  that  while  a)-,  g*  appear  in  the  output  of  C2,  the  actual  index  j  itself 
does  not  appear  in  the  output. 
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3.  C%  is  a  circuit  computing  the  following.  On  input  (rSIM,i),  run  C®IM(rSIM)  =  (vl,  •  ■  • ,  iff),  and 
output  1  iff  ul  is  an  accepting  view  of\! . 

Claim  4.3.  Reduction  f.2  is  a  Karp  reduction  from  L  ( specified  in  Theorem  4-1)  to  the  promise 
language  Z  =  CEBfc_i/200)fc_i/l00  A  CEE2r)/^l  lr]/t  A  £>0.66,/3  for  (3  =  1/3  +  1/10  +  2 mq/l. 

Proving  Theorem  4.1  using  Claim  4.3.  By  taking  i  =  40m?7,  it  holds  that  2m  ■  rj/£  <  1/20 
in  Lemma  4.8  and  so  (3  <  1/2,  which  implies  that  P>a,p  E  BPP,  Z  E  SZK,  and  so  L  E  SZK. 

In  the  following  we  prove  Claim  4.3  by  studying  each  cases  of  x  E  iff  and  x  E  LN  separately. 
We  begin  with  a  lemma  that  will  be  useful  for  the  case  x  E  L. 

The  following  lemma  bounds  the  conditional  entropy  of  a  single  answer  to  a  single  randomly 
chosen  verifier  query  by  the  conditional  entropy  of  the  set  of  all  answers  to  the  set  of  all  verifier 
queries.  This  is  non-trivial  because  the  verifier  queries  may  be  asked  adaptively. 

Lemma  4.4.  Let  A  be  any  randomized  algorithm  that  (adaptively)  queries  a  POP  tv.  Let  r  E  {0,  l}fc 
denote  the  random  coins  of  A.  Let  q  =  (qi,...,qm)  be  the  queries  that  An(r)  makes  and  let 
aj  =  7T (qj)  be  the  corresponding  answers.  Let  tv  be  an  arbitrary  distribution  over  proofs,  and  let  q 
and  a  be  the  distribution  over  (the  vectors  of)  queries  and  answers  obtained  by  querying  7r  using 
algorithm  A  on  uniform  random  coins  r.  Let  also  j  be  an  arbitrary  distribution  over  [m\. 

Then  H(aj  |  qj)  <  H(a  |  r)  where  in  the  notation  qj  the  value  of  j  is  not  explicitly  revealed. 

Proof.  By  the  definition  of  conditional  entropy  and  adding  0  =  H(ajqj  |  7r)  —  H/ajqj  |  tv),  we  get 

H(ai  I  qj)  =  H(ajqj)  -  H(ajqj  1 7r)  -  (H(qj)  -  H(ajcu  I  *■))■ 

Since  a  proof  n  is  stateless  for  any  fixed  n,  given  any  query  q  asked  at  some  point  during  the 
execution  of  AP ,  the  answer  a  =  ir(q)  is  also  fixed.  Therefore  it  holds  that  H(ajqj  |  n)  =  H(qj  |  tv), 
and  by  the  definition  of  mutual  information,  we  may  deduce  that 

H(aj  I  qj)  =  !(ajqj;  ~  *0  <  I(ajqj;  ?r). 

Since  I(ajC|j;7r)  =  H(7t)  —  H(7t  |  ajqj)  and  since  tv  and  r  are  independent,  Item  1  of  Fact  3.12 
implies  that 

H(aj  |  qj)  <  I(ajqj ;  tv)  =  H(tt)  -  H(tt  |  ajqj)  <  H(tt  |  r)  -  H(tt  |  ajqjr)  =  I(ajqj;  tv  \  r). 

Let  F  be  the  function  that  takes  as  input  (a,  q)  and  outputs  (apqj)  by  sampling  j.  By  the  data 
processing  inequality  (Item  3  of  Fact  3.12)  it  holds  that 

H(aj  |  qj)  <  I(ajqj;  tv  \  r)  =  I(F(aq);  tv  \  r)  <  I(aq;  tv  \  r)  <  H(aq  |  r)  =  H(a  |  r)  +  H(q  |  ar). 

Finally,  since  H(q  j  ar)  =  0,  this  implies  the  proposition.  □ 

Remark  4.5.  We  emphasize  that  if  tv  was  stateful  ( i.e .  a  “prover”,  rather  than  a  “proof”),  then 
Lemma  4.4  would  be  false.  Even  a  deterministic  prover  can  correlate  his  answers  to  the  verifier’s 
queries,  and  so  it  may  be  that  H(a  |  q)  =  0  but  H(aj  |  qj)  >  0.  Namely,  even  given  it  (say  for  a 
stateful  prover  that  ir  gives  the  random  coins  of  the  prover)  and  a  query  q,  the  answer  to  q  may 
have  entropy  because  7r’s  answer  to  q  may  be  different  depending  on  whether  q  was  asked  as  the 
first  query  or  second  query  or  third  query,  etc.  In  particular,  the  equality  H/ajqj  |  tv)  =  H(qj  |  tv) 
used  in  the  proof  of  Lemma  4.4  would  not  hold  anymore.  This  is  one  place  where  we  crucially  use 
the  fixed  nature  of  a  PCP. 
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4.1  Proof  of  Claim  4.3:  the  Case  i6i5 

Here  we  would  like  to  show  that  (C\  E  CEB^_y200  fc_  1/100)  A  (^2  £  CEB^.!^)  A  (C3  G  Djm/3). 
We  study  each  of  the  generated  instances  C\  for  i  G  [3].  In  all  these  cases,  we  first  assume  that  the 
simulator’s  output  is  identically  distributed  to  the  view  of  V[fl  interacting  with  a  prover  and  then 
will  show  how  remove  this  assumption. 


The  Instance  C\ .  If  the  simulator’s  outputs  were  identically  distributed  to  the  view  of 
interacting  with  a  prover,  then  the  simulated  randomness  Xi  =  r*  will  be  uniformly  distributed 
over  {0,  l}fc  with  entropy  k  independently  of  Yi  =  (u1, . . . ,  u1^1).  Since  the  simulator  generates  a 
view  that  is  statistically  close  to  the  honest  interaction  (and  since  k  =  poly(|x|)  and  H(negl(n))  = 
negl(n))  we  may  apply  Lemma  3.15  to  deduce  that  H(Xi  |  Yi)  >  k  —  negl(?r)  >  k  —  1/ 200.  Therefore, 
Ci  G  CEB^_1/200  fc_1/l00. 


The  Instance  C 2.  Fix  an  arbitrary  witness  w  of  x  G  L,  and  we  study  the  view  of  while 
interacting  with  a  proof  generated  according  to  the  distribution  ttxw  whose  entropy  is  bounded 
by  T).  Suppose  first  that  the  simulator’s  outputs  were  identically  distributed  to  the  view  of 
interacting  with  tvx_w.  In  this  case,  by  an  argument  similar  to  [IMS12],  one  can  show  that 

Claim  4.6.  E H(a'  |  i/1, . . . ,  i/-1,  r®)  <  ig/l. 

Proof. 

r]  +  k£ 

(tv XjW  and  r1, . . . ,  re  are  independent) 

(ttx,w  and  r1, . . . ,  determine  u1,. . . ,  1/) 


(r*  and  a*  determine  q*) 


ie[d 


>  H(TVXtW)  +  H(ri, . . .  ,re) 

=  H(7vXjW,r1, ...,/) 

>h  (u\...y) 

=  H(r4  I  v1, . . . ,  i/"1)  +  H(a*  |  1/1, ... ,  I/*-1,  r4) 
ie[d 

=  k£  +  J2  H(a®  |  i/1,...,*/4-1,^). 


Therefore,  by  averaging  over  i  we  obtain  that  H(a'  |  i/1, . . . ,  ui  1,  r*)  <  i]/l.  □ 

The  following  claim  is  also  based  on  the  assumption  that  the  simulation  is  perfect,  and  thus  the 
distribution  of  (u1, . . . ,  vm )  generated  by  the  simulator  is  identical  to  the  view  of  V ^  run  against 

7T  <r~  TVX£L,w 

Claim  4.7.  For  each  fixed  value  of  i  and  (n1, . . . ,  C^1),  it  holds  that 


H(a*  |  ql 


1 


)<H( 


r.  v 


1\ 


(i) 


Namely,  the  entropy  of  the  answers  of  the  ith  verification  gives  an  upper-bound  on  the  entropy  of 
the  answer  to  a  randomly  chosen  query  of  the  verifier  without  revealing  its  index. 
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Proof.  Let  (ttXjW,  u1  , . . . ,  zP_1)  be  the  joint  distribution  of  an  honest  proof  irXjW  and  i  —  1  executions 
of  the  honest  verifier  using  proof  ttx,w  Apply  Lemma  4.4  using  the  distribution 

over  proofs  given  by  (nX:W  \  z/1, . . .  ,  z/-1),  and  with  the  honest  verifier  algorithm  V*  as  the  query 
algorithm  accessing  the  proof.  □ 

Using  Claims  4.6  and  4.7,  we  conclude  that  H(X2  |  Y2)  <  r//£,  assuming  that  the  simulator 
was  perfect.  If  we  only  assume  that  the  simulator’s  output  is  statistically  close  to  the  view  of 
interacting  with  7Tx,w,  then  we  can  apply  Lemma  3.15  and  deduce  that  H(X2  |  Y2)  <  ry/£+negl(n)  < 

_ Y 

1.1  r]/l  which  implies  that  C2  £  CEB 2r]/i,i.vn/i- 

The  Instance  C3.  By  the  completeness  of  II,  when  V  ^  =  (V1, . . . ,  Ve)  interacts  with  a  proof,  for 
all  i  €  [l] ,  V*  accepts  with  probability  >2/3.  Since  the  simulation  is  statistically  close  to  the  real 
interaction,  it  holds  that  ul  is  accepting  with  probability  2/3  —  negl(n)  >  0.66,  and  so  C3  £  66 

4.2  Proof  of  Claim  4.3:  the  Case  x  £  LN 

Here  we  would  like  to  show  that  (Cj  £  CEB£_1/a00ifc_1/l00)  V  (C2  £  CEB?^ lr)/e)  V  (C3  £ 

This  follows  from  the  following  lemma. 

Lemma  4.8.  Suppose  x  £  LN ,  C\  0  CEB^r_1,200  fc_1/100,  and  C2  CEB^^  x  lri/e.  Then  it  holds 
that  C3  £  Dq  66  p  for  f3  =  1/3  +  1/10  +  2m  ■  rj/l. 


Intuition.  Since  C2  0  CEB2r^)i  therefore,  the  oracle  answers  returned  to  the  verifier  in  the 
ith  execution  (for  a  random  i  <r-  [l])  all  have  very  low  entropy  and  thus  close  to  a  fixed  proof. 
Moreover,  due  to  C\  0  CEBj/^,^  k_u100,  the  randomness  of  verifier  in  this  execution  has  almost 
full  entropy,  and  therefore,  the  *th  execution  is  close  to  an  honest  execution  of  the  verifier  against 
some  oracle.  Finally,  since  x  £  LN  by  the  soundness  of  the  PCP,  the  verifier  would  accept  with 
probability  at  most  ~  1/3.  The  formal  argument  goes  through  a  hybrid  argument  as  follows. 

Experiments.  The  outputs  of  all  experiments  described  below  consist  of  a  view  of  \/M  ( i.e .  the 
first  i  executions  of  the  verifier).  The  distribution  of  (u1, . . . ,  ul~l)  in  all  of  these  executions  is  the 
same  and  is  sampled  by  Sim(x),  and  they  only  differ  in  the  way  they  sample  ul. 

•  Experiment  Real.  Choose  i  <—  [£],  and  take  the  output  (iA, . . . ,  ul)  by  running  Sim(x). 

•  Experiment  Ideal.  Choose  i  <—  [P\,  and  take  the  output  {u1, . . . ,  vl~l)  by  running  Sim(x). 
To  sample  vl  =  (r*.  q',  a’:)  we  first  sample  rl  •(—  {0, 1 } k  uniformly  at  random,  and  then  using 
rl  we  run  the  verifier  against  the  oracle  7 f  defined  as  follows. 

The  Oracle  ff:  Suppose  we  have  fixed  (id, . . . ,  z/_1).  Recall  the  distribution  ((qj,aj)  | 
z/, . . . ,  z/_1)  defined  above  when  defining  the  instance  C2  {i.e.,  (aj,  qj)  is  a  randomly  chosen 
pair  of  query-answer  pairs  from  the  view  vl  without  revealing  the  index  j ).  For  every  query 
q,  the  oracle  ff  gets  one  sample  according  to  a  •(—  (aj  |  z/, . . . ,  z>_1,  q)  =  q)  and  sets  ff (q)  =  a 
forever.  If  Pr[qj  =  q  \  z/, . . . ,  z/-1]  =  0,  we  define  ff (q)  =  _L. 
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•  Experiment  Hyb^  for  j  E  [m  +  1].  These  experiments  are  in  between  Real  and  Ideal 
and  for  larger  j  they  become  closer  to  Real.  Here  we  choose  i  <—  [?] ,  and  take  the  output 
(z/1,  . . . ,  z/)  by  running  Sim(x).  Then  we  will  re-sample  parts  of  vi  as  follows.  We  will  keep 
(r*,  (q\,  a\), . . . ,  (^_i,  a*-_i))  as  sampled  by  Sim(x).  For  the  remaining  queries  and  answers 
we  sample  an  oracle  7r  as  described  in  Ideal,  and  we  let  (</*-,  a*), . . . ,  (r//,,  a^)  be  the  result  of 
continuing  the  execution  of  V*  using  r*  and  the  oracle  7 f.  Note  that  Hybm_)_1  =  Real. 

Claim  4.9.  If  x  E  £/ien  Pr^ai  accepts  ]  <  1/3. 

Claim  4.10.  IfC\  0  CEB^_1/200fc_1/l00,  then  A(ldeal,  HybJ  <  1/10. 

Claim  4.11.  If  C2  0  CEB^/g^/g,  then  %e[m]  A(Hybi;  Hybj+1)  <  2 r)/i. 


Proving  Lemma  4.8.  Claims  4.9,  4.10,  and  4.11  together  imply  that 

Pr  [z/  accepts  ]  <  Pr  [z/  accepts  ]  +  A(ldeal,  Hy^)  +  A(HybJ-,  HybJ+1)  <  1/3  +  1/10  +  2 mr\/i 

je[m] 

which  proves  that  C3  E  Dy 3^.  In  the  following  we  prove  these  claims. 

Proof  of  Claim  f.9.  Since  the  oracle  n  is  sampled  and  fixed  before  choosing  rl  and  executing  V*,  and 
because  x  E  LN ,  by  the  soundness  property  of  the  PCP  it  holds  that  Pineal  [;y*  accepts  ]  <  1/3.  □ 

Proof  of  Claim  4-10.  If  C\  <fL  fc_i/100,  then  it  means  that  we  have Ej<_^][H(rl  |  z/1, . . . ,  i/*-1)]  > 

k  —  1/100.  By  Lemma  3.13  it  holds  that 

E  [A((P  |  v1, . . . ,  v1-1),  Ufc)]  <  y/1/100  =  1/10. 

i<—  [^], 1/1, 1 

But  note  that  the  only  difference  between  Ideal  and  Hy^  is  the  way  we  sample  rl  conditioned 
on  the  previously  sampled  parts  (he.  v1, . . . ,  z/-1).  Thus  it  holds  that  A(ldeal,  Hyb1)  <  1/10.  □ 

Proof  of  Claim  4-11.  The  only  difference  between  Hyb^  and  HybJ+1  is  the  way  they  answer  q1-.  In 
Hybj+1  the  original  answer  of  the  simulator  is  used,  while  in  Hyb^  this  answer  is  provided  by  the 
oracle  7 f.  Thus,  they  are  different  only  when  the  answer  re-sampled  by  7 i  differs  from  the  original 
answer.  Therefore,  we  have  that: 


A(Hyb/  .  Hybj  .  , )  < 


E 


Pr  [a!  ^7f(q!)  |  i,!/1, 


i—  li 


|_a4,q%7T 

Taking  an  expectation  over  all  j  \I\  we  conclude  Claim  4.11  as  follows. 


E[A(Hyb  ■,  Hyb +1)]  = 

7  J  J  1  7  7/1 


E 


=  E 


Pr  [a*-  +  7f(q!)  |  *,  v1 


_Pr  Jaj  ^  7r(qj) 

j,al,q*,7T 


i—  li 
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By  combining  the  sampling  of  aj ,  qj  directly,  we  have  that 


E[A(Hyb-,Hyb+1)]  =  E 
1  J  J 


=  E 


E 


(since  1  —  a  <  lg(l/a)  for  a  E  [0, 1])  < 


E 


Pr  Jaj  +  7r(qj)  |  i,vx,...,vl  x] 

a?,q*,7r 
j,mj’ 

1  —  Pr  [aj  =  7r(qj)  \  i,vl , . . .  ,vl~x] 

31.  ,q?  ,7T 
J,Mj’ 

1  -  Pr[o}  =  w(g*-)  |  i,  vx, . . . ,  i/*'1] 

■K  J  J 

1 

lg 


Pr#[a*-  =  7f(g})  |  i,  v1, . .  .,vi~x] 
(by  the  definition  of  oracle  7r)  =  E  H(aj  \v1,...,v1  \qj) 


rN 


(since  C2  CEB2r]/e  i  lll/e)  <  2 rj/£. 


□ 
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